KEMBAR78
Fortigate Commands | PDF | Computer Architecture | Networking Standards
Scribd
Upload
10 views4 pages

Fortigate Commands

This document provides commands for network management, diagnostics, security, and performance of FortiGate devices. It includes commands to execute ping, traceroute, display ARP tables and interfaces, capture packets, view routes, configure VPN, address objects, high availability, logs, and performance. It also includes commands for debugging processes, applications, and flows, as well as configuring authentication, content, sandbox, and backups.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views4 pages

Fortigate Commands

This document provides commands for network management, diagnostics, security, and performance of FortiGate devices. It includes commands to execute ping, traceroute, display ARP tables and interfaces, capture packets, view routes, configure VPN, address objects, high availability, logs, and performance. It also includes commands for debugging processes, applications, and flows, as well as configuring authentication, content, sandbox, and backups.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

NETWORK MANAGEMENT

execute ping <hostname|ip> Execute a ping


execute ping-options ? Show the options to configure a ping before executing it
execute ping-options source <ip src> Configure ping from a specific interface
execute traceroute <hostname|ip> Run an IP hop trace
Commands for ipv6
execute ping6-options ?
execute ping6 <hostname|ip>
execute tracert6 <hostname|ip>
execute ping-options reset reset the default settings of the ping tool

get system arp Show the ARP table of the device, these are all the devices it can reach at layer 2.
get system session list Show the active sessions on the device, equivalent to netstat
get system interface physical Check the status of the hardware interfaces.
Configure system interface Enter the interface configuration section
diagnose ip arp list Know the ARP table of the device

Packet sniffer capture


diagnose sniffer packet <interface><filter><verbose> applies a sniffer from a certain interface, a filter for services/devices and detail level
The filters apply the common logic of Wireshark, logical operators and concatenators.
Examples
diagnose sniffer packet any host x.x.x.x and icmp
diagnose sniffer packet any host x.x.x.x and port xx or port xx
diagnose sniffer packet any host x.x.x.x and not port

Routing
get router info routing-table all Table of routes
diagnose ip route list detailed information of the route table
get router info routing-table details x.x.x.x Details for the IP x.x.x.
get router info kernel Complete routing/forwarding table
get router <routing-protocol> Information by routing protocol
diagnose firewall proute list PBR Information
diagnose ip rtcache list Route cache information = active sessions with routing information

VPNs
diag vpn tunnel flush <phase1 name> reset the sa session
diagnose vpn tunnel reset complete tunnel reset

Objects
Configure firewall address configure or edit an address object in the Fortigate
Configure firewall group configure or edit an address object in the Fortigate

SYSTEM/HARDWARE MANAGEMENT

(global)#set admintimeout Change the session time of the GUI interface; for telnet/ssh/console, it is in the same section.

configure system globally Display the global configuration of the device


get system status
show/get system global View global configuration
show full-configuration View full configuration in C++ mode
execute tac report get all system information in a single command
grep is used with the pipe sign to search within a context for a string of characters
show | grep -f ipv6 will search for everything that says ipv6 within the global configuration (show)
show full-configuration | grep -f ipv6 will search for everything that says ipv6 within the full configuration

Diagnose autoupdate versions


get hardware nic <nic-name> details of a specific interface
fnsysctl ifconfig <nic-name> Hidden command to see all the details of an interface

High Availability
diagnose sys ha HA configuration context has multiple options
diagnose sys ha status Know the status of the cluster
execute ha manage? Know the ID of the cluster nodes
execute ha manage <device-index> Manage Fortigate B from A or vice versa, the device index can be 'serial' or 'device id'
diagnose system high availability show checksum
Check if the checksum matches to see if they are synchronized.

execute factory reset restore the device to factory settings


execute executes multiple actions, see options with ?

config log ? Configure the general logging options for different objects or processes GUI/memory/fortianalyzer
config log memory setting Adjust the log settings in memory, preferably disable it (uses RAM)
config log fortiguard ? Adjust the settings in FortiCloud

PERFORMANCE MANAGEMENT

get system status


get sys perf status team performance
<cpu-memory-nic-status>
diagnose sys top Check the top services of the system
diagnostic system top-summary Performance diagnosis by process, detailing CPU/MEMORY/APPLICATION/TIME
get system performance top monitoring the performance of the services with the highest resource consumption
get system performance status CPU and network usage

DIAGNOSIS

show Show the configuration of the context in which you find yourself
get Show all available options in the context where you are.

Process/Application Diagnosis ips


diagnose test application? smtp/pop3/imap/urlfilter for testing/tweaking
diagnose test application <application>? execute multiple actions on the app: 1: Display info 2: Enable/disable 99: restart process

Debug Flow (Execution process)

1) Clean the Debugger Stop, clean, and reset the debug tool
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
2) Prepare the debug Prepare the tool by filtering the services or objects of interest, some examples:
diagnose debug flow filter addr x.x.x.x debug on a specific ip
diagnose debug flow filter saddr debug of a specific source IP
diagnose debug flow filter daddr debug of a specific destination IP
diagnose debug flow filter port x debug on a specific port
diagnose debug flow filter proto x debug proprotocol
ICMP (ping)
protocol number 6 = TCP
protocol number 17 = UDP
Complete list Unable to access external links or documents.
diagnose debug application? debug of the application or process sip/http/smtp/pop3/imap/ike/ipsmonitor/dhcpc/ddnscd
Complete list The provided link does not contain any text to translate.

diagnose debug flow trace start 50 define the number of packets to analyze

3) Run debug

Turn on/Turn off debug Start or end the debug process


diagnose debug enable
diagnose debug disable

Download archive

debug system>settings>advance>debug>download debug log option

USER MANAGEMENT

Maintainer user Enable or disable


configure system globally
set admin-maintainer disable <enable or disable>
end

SECURITY SETTINGS

Configure FailOpen
configure system globally Display the global configuration of the equipment
set av-failopen {off | pass | one-shot | idledrop}
end

Inspection with db AV Extreme Enable AV inspection with the most complete database from Fortigate.
Configure antivirus settings
set default-db normal/extended/extreme (available only on high-end devices)

Grayware scanning Run after AV, scan with your own database traffic in search of unidentified/new viruses.
configure antivirus settings
set grayware? Enable or disable grayware inspection

Configure Heuristic Inspection executes after grayware, engine executes file and tests for viruses, false positives
config antivirus heuristic ? Heuristic mode configuration options: activate/deactivate

Configure Content Disarm and Reconstruction (CDR)


sanitizes Zip files, Microsoft files, and PDFs, disassembles them and rebuilds
Works only with HTTP, SMTP, POP3, IMAP
It doesn't work with Flow based
configure antivirus profile enter the antivirus profile section
edit <profile-name> edit the selected profile
config content-disarm configure settings in CDR
config <service> configure settings in each available service for this option
(service)set content-disarm within a service, enable or disable CDR

Cloud Sandbox Configuration

Pass Recovery Log in with the console and restart the machine (while connected and with the session open)
config system admin
edit admin set password <newpassword>
end
global configuration If the vdoms function is enabled, use this command
configure system administrator

edit admin set password <newpassword>


end

Backups/Restore
Execute restore <Object> Select the object to be backed up / Each object has its files

You might also like